Question 38
Domain 1 — AI Governance and Risk ManagementAn IS auditor uses an AI model to summarize worksheets, but several worksheets contained a " Hidden Cell " instructing the model to ignore control failures. Which solution BEST mitigates the risk?
Correct answer: D
Explanation
Allowing extraction only to predefined values and headers limits the model’s input to trusted fields and blocks hidden instructions embedded in cells. This follows the principle of least privilege and input sanitization: the model should process only approved data, not arbitrary worksheet content that could contain prompt injection like a "Hidden Cell" telling it to ignore control failures.
Why each option is right or wrong
A. Instruct the model to ignore instructions in data and set high temperature.
B. Ensure read-only mode with track changes is enabled.
C. Convert files to PDF before uploading to the AI model.
D. Allow extraction only to predefined values and headers in the worksheets.
Prompt-injection risk is best reduced by constraining the model’s input surface to only approved worksheet fields, rather than free-form cell content. Under the principle of least privilege and input validation/sanitization, the model should be permitted to read only predefined values and headers, so any hidden cell text cannot be ingested as instructions and cannot override the intended summarization task.